ICO and Financial Ombudsman Rant

xlnc99

Both useless companies, utter useless.

Did a SAR for a company, they sent me details but were missing out key information including default notices and information about the debt. Emailed them, called them didnt bother responding. Complained to FOS and ICO back in November.

Its now approaching March and as of yet the company still hasnt sent the info. ICO said they too busy to look at my case and will do in 6 weeks. FOS looked at it and in December asked the company to send the info. Asked for an update in JAN, FOS said the company replied saying they will send it soon. Asked for another update in Feb and the FOS said they company said they are waiting to get the info from a third party and when it comes they will send it

I am furious at all three companies. Its been 6 months and legally they are allowed 30 days! ICO haven't bothered to do anything - what are they there for? FOS are incompetent as they are being fed lies by the company. Third party? What third party - this was never passed onto a third party. The company issued the default

Question is - what else can you do?

Answer - Nothing!

eskbanker

xlnc99 said:

I am furious at all three companies. Its been 6 months and legally they are allowed 30 days!

The company to whom you sent the SAR are indeed obliged to respond within 30 days, but there is no such service level for complaints to ICO and FOS, who are both renowned for slow turnaround times.  FOS in particular specify an average of four months to assign a case handler and if you only referred the matter to them in November you won't even have reached that yet, although it sounds like they have made some sort of start....

xlnc99

Yes i understand they are very slow. But what is the point in giving a rule of 30 days to respond but 6 months down the line they still havent done anything and you cant do anything about it? Any company can do the same, its just pointless giving a 30 day deadline

It just doesnt make sense

eskbanker

Companies failing to adhere to their legal responsibilities under DPA open themselves up to sanctions from ICO but these are obviously on a scale - a company with lax security allowing personal data for thousands of people to be disclosed is likely to be fined, but one that takes its time to respond to SARs might eventually get a slap on the wrist if it's a clearly repeated pattern and enough folk complain about it....

xlnc99

Its a farce. There should be a department of the ICO that deals with companies not complying with this and then all they need to do is send them an email to remind them to send the data! I mean what if its urgent and the data is needed badly for some reason?

I read on the ICO website the other day if a company doesnt respond within 30 days let us and we will contact them ASAP.

LIES

eskbanker

xlnc99 said:

Its a farce. There should be a department of the ICO that deals with companies not complying with this and then all they need to do is send them an email to remind them to send the data! I mean what if its urgent and the data is needed badly for some reason?

I read on the ICO website the other day if a company doesnt respond within 30 days let us and we will contact them ASAP.

LIES

That's not what it suggests at https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/what-to-do-if-the-organisation-does-not-respond-or-you-are-dissatisfied-with-the-outcome/ (after step 1 of complaining to the SAR recipient):

Step 2 – Report your concerns to the ICO

If you’ve complained to an organisation and you still do not receive any response, or remain unhappy with their handling of your subject access request, you can make a complaint to the ICO.

We cannot:

• act as your representative;

• award compensation; or

• punish an organisation for breaking the law (apart from in the most serious cases).

However, if we think the organisation has not responded to your request as it should have done, we can give them advice and ask them to solve the problem.

You should raise your concerns with us within three months of your last meaningful contact with the organisation.

xlnc99

Wow! I must have read a different website. This is truly astonishing. What a big gaping hole for companies to get away with this nonsense. I also read on that site that the fines are so small, like £5,000!

eskbanker

xlnc99 said:

Wow! I must have read a different website. This is truly astonishing. What a big gaping hole for companies to get away with this nonsense. I also read on that site that the fines are so small, like £5,000!

As I said, any enforcement action ICO takes will be relative to the scale of any incident, so last year they announced a fine of £183.39m for BA because of inadequate security jeopardising the personal data of 500,000 customers, and £100,000 for EE for sending 2.5m unauthorised text messages, but with all due respect, a tardy response to a SAR is hardly in the same league....

https://ico.org.uk/action-weve-taken/enforcement/

xlnc99

I understand my situation is small fish compared to the examples you mentioned. But my point is - what is to stop companies not complying with the 30 day rule? Nothing really. I mean 6 months just takes the mick.

Also the examples you given are for data breach and sending too many text messages for marketing i guess. My situation is for companies sending individuals what they are legally required to do so. It takes the biscuit, it really does. Nothing to do but wait. Cant do anything about it

eskbanker

xlnc99 said:

I understand my situation is small fish compared to the examples you mentioned. But my point is - what is to stop companies not complying with the 30 day rule? Nothing really. I mean 6 months just takes the mick.

Also the examples you given are for data breach and sending too many text messages for marketing i guess. My situation is for companies sending individuals what they are legally required to do so. It takes the biscuit, it really does. Nothing to do but wait. Cant do anything about it

The ICO's focus is almost exclusively matters arising from the Data Protection Act, which imposes many legally-binding obligations on all organisations processing personal data, so all of the examples relate to breaches of that legislation, including yours.

As pointed out in a different context on another thread, bodies like ICO and FCA/FOS have a fairly narrow legislatively-defined remit, so if you're unhappy with that remit then you need to take this up with your elected representative....

xlnc99

what do you mean by elected representative?